Results 1  10
of
80
Proofs of Storage from Homomorphic Identification Protocols
"... Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication ..."
Abstract

Cited by 66 (3 self)
 Add to MetaCart
(Show Context)
Proofs of storage (PoS) are interactive protocols allowing a client to verify that a server faithfully stores a file. Previous work has shown that proofs of storage can be constructed from any homomorphic linear authenticator (HLA). The latter, roughly speaking, are signature/message authentication schemes where ‘tags ’ on multiple messages can be homomorphically combined to yield a ‘tag ’ on any linear combination of these messages. We provide a framework for building publickey HLAs from any identification protocol satisfying certain homomorphic properties. We then show how to turn any publickey HLA into a publiclyverifiable PoS with communication complexity independent of the file length and supporting an unbounded number of verifications. We illustrate the use of our transformations by applying them to a variant of an identification protocol by Shoup, thus obtaining the first unboundeduse PoS based on factoring (in the random oracle model). 1
Providing Receiptfreeness in Mixnetbased Voting Protocols
 In Proc. of Information Security and Cryptology (ICISC’03), volume 2971 of LNCS
, 2003
"... It had been thought that it is di#cult to provide receiptfreeness in mixnetbased electronic voting schemes. Any kind of user chosen randomness can be used to construct a receipt, since a user can prove to a buyer how he had encrypted the ballot. In this paper we propose a simple and e#cient met ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
(Show Context)
It had been thought that it is di#cult to provide receiptfreeness in mixnetbased electronic voting schemes. Any kind of user chosen randomness can be used to construct a receipt, since a user can prove to a buyer how he had encrypted the ballot. In this paper we propose a simple and e#cient method to incorporate receiptfreeness in mixnetbased electronic voting schemes by using the well known reencryption technique and designated verifier reencryption proof (DVRP). In our scheme a voter has to prepare his encrypted ballot through a randomization service provided by a tamper resistant randomizer (TRR), in such a way that he finally loses his knowledge on randomness. This method can be used in most mixnetbased electronic voting scheme to provide receiptfreeness.
A universally composable mixnet.
 TCC 2004. LNCS,
, 2004
"... Abstract. A mixnet is a cryptographic protocol executed by a set of mixservers that provides anonymity for a group of senders. The main application is electronic voting. Numerous mixnet constructions and standalone definitions of security are proposed in the literature, but only partial proofs ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
(Show Context)
Abstract. A mixnet is a cryptographic protocol executed by a set of mixservers that provides anonymity for a group of senders. The main application is electronic voting. Numerous mixnet constructions and standalone definitions of security are proposed in the literature, but only partial proofs of security are given for most constructions and no construction has been proved secure with regards to any kind of composition. We define an ideal mixnet in the universally composable security framework of Canetti
Noninteractive zeroknowledge arguments for voting
 In proceedings of ACNS ’05, LNCS series
, 2005
"... Abstract. In voting based on homomorphic threshold encryption, the voter encrypts his vote and sends it in to the authorities that tally the votes. If voters can send in arbitrary plaintexts then they can cheat. It is therefore important that they attach an argument of knowledge of the plaintext bei ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In voting based on homomorphic threshold encryption, the voter encrypts his vote and sends it in to the authorities that tally the votes. If voters can send in arbitrary plaintexts then they can cheat. It is therefore important that they attach an argument of knowledge of the plaintext being a correctly formed vote. Typically, these arguments are honest verifier zeroknowledge arguments that are made noninteractive using the FiatShamir heuristic. Security is argued in the random oracle model. The simplest case is where each voter has a single vote to cast. Practical solutions have already been suggested for the single vote case. However, as we shall see homomorphic threshold encryption can be used for a variety of elections, in particular there are many cases where voters can cast multiple votes at once. In these cases, it remains important to bring down the cost of the NIZK argument. We improve on state of the art in the case of limited votes, where each voter can vote a small number of times. We also improve on the state of the art in shareholder elections, where each voter may have a large number of votes to spend. Moreover, we improve on the state of the art in Borda voting. Finally, we suggest a NIZK argument for correctness of an approval vote. To the best of our knowledge, approval voting has not been considered before in the cryptographic literature. 1
Efficient cryptographic protocol design based on distributed El Gamal encryption
 In Proceedings of 8th International Conference on Information Security and Cryptology (ICISC
, 2005
"... Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusiv ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a set of primitives based on El Gamal encryption that can be used to construct efficient multiparty computation protocols for certain lowcomplexity functions. In particular, we show how to privately count the number of true Boolean disjunctions of literals and pairwise exclusive disjunctions of literals. Applications include efficient twoparty protocols for computing the Hamming distance of two bitstrings and the greaterthan function. The resulting protocols only require 6 rounds of interaction (in the random oracle model) and their communication complexity is O(kQ) where k is the length of bitstrings and Q is a security parameter. The protocols are secure against active adversaries but do not provide fairness. Security relies on the decisional DiffieHellman assumption and error probability is negligible in Q. 1
Sublinear zeroknowledge argument for correctness of a shuffle
 Proceedings of EUROCRYPT 2008, LNCS 4965
, 2008
"... A shuffle of a set of ciphertexts is a new set of ciphertexts with the same plaintexts in permuted order. Shuffles of homomorphic encryptions are a key component in mixnets, which in turn are used in protocols for anonymization and voting. Since the plaintexts are encrypted it is not directly verif ..."
Abstract

Cited by 27 (2 self)
 Add to MetaCart
(Show Context)
A shuffle of a set of ciphertexts is a new set of ciphertexts with the same plaintexts in permuted order. Shuffles of homomorphic encryptions are a key component in mixnets, which in turn are used in protocols for anonymization and voting. Since the plaintexts are encrypted it is not directly verifiable whether a shuffle is correct, and it is often necessary to prove the correctness of a shuffle using a zeroknowledge proof or argument. In previous zeroknowledge shuffle arguments from the literature the communication complexity grows linearly with the number of ciphertexts in the shuffle. We suggest the first practical shuffle argument with sublinear communication complexity. Our result stems from combining previous work on shuffle arguments with ideas taken from probabilistically checkable proofs.
SplitBallot Voting: Everlasting Privacy With Distributed Trust
"... In this paper we propose a new voting protocol with several desirable security properties. The voting stage of the protocol can be performed by humans without computers; it provides every voter with the means to verify that all the votes were counted correctly (universal verifiability) while preserv ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
In this paper we propose a new voting protocol with several desirable security properties. The voting stage of the protocol can be performed by humans without computers; it provides every voter with the means to verify that all the votes were counted correctly (universal verifiability) while preserving ballot secrecy. The protocol has “everlasting privacy”: even a computationally unbounded adversary gains no information about specific votes from observing the protocol’s output. Unlike previous protocols with these properties, this protocol distributes trust between two authorities: a single corrupt authority will not cause voter privacy to be breached. Finally, the protocol is receiptfree: a voter cannot prove how she voted even if she wants to do so. We formally prove the security of the protocol in the Universal Composability framework, based on numbertheoretic assumptions.
Receiptfree homomorphic elections and writein voter verified ballots
 INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH, MAY 2, 2004, AND CARNEGIE MELLON INSTITUTE FOR SOFTWARE RESEARCH INTERNATIONAL
, 2004
"... We present a voting protocol that protects voters ’ privacy and achieves universal verifiability, receiptfreeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, thirdparty randomizers, and so on). We discu ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
We present a voting protocol that protects voters ’ privacy and achieves universal verifiability, receiptfreeness, and uncoercibility without ad hoc physical assumptions or procedural constraints (such as untappable channels, voting booths, smart cards, thirdparty randomizers, and so on). We discuss under which conditions the scheme allows voters to cast writein ballots, and we show how it can be practically implemented through voterverified (paper) ballots. The scheme allows voters to combine voting credentials with their chosen votes applying the homomorphic properties of certain probabilistic cryptosystems.
On Some Incompatible properties of Voting Schemes
 In Proceedings of the IAVoSS Workshop on Trustworthy Elections, 2006. [CMS00] Iliano Cervesato, Catherine
"... Abstract. In this paper, we study the problem of simultaneously achieving several security properties, for voting schemes, without nonstandard assumptions. This paper is a work in progress. More specifically, we focus on the universal verifiability of the computation of the tally, on the unconditio ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
Abstract. In this paper, we study the problem of simultaneously achieving several security properties, for voting schemes, without nonstandard assumptions. This paper is a work in progress. More specifically, we focus on the universal verifiability of the computation of the tally, on the unconditional privacy/anonymity of the votes, and on the receiptfreeness properties. More precisely, under usual assumptions and efficiency requirements, we show that we cannot achieve: – universal verifiability of the tally (UV) and unconditional privacy of the votes (UP) simultaneously, unless all the registered voters actually vote; – universal verifiability of the tally (UV) and receipt freeness (RF), unless the voting process involves interactions between several voters (and possibly the voting authority). 1
Verifiable Shuffles: A Formal Model and a Paillierbased Efficient Construction with Provable Security
, 2005
"... We propose a formal model for security of verifiable shuffles and a new efficient verifiable shuffle system based on the Paillier encryption scheme, and prove its security in the proposed model. The model is general, so it can be extended to verifiable shuffle decryption and provides a direction for ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
We propose a formal model for security of verifiable shuffles and a new efficient verifiable shuffle system based on the Paillier encryption scheme, and prove its security in the proposed model. The model is general, so it can be extended to verifiable shuffle decryption and provides a direction for provable security of mixnets.